NAC industry at a crossroads

Device authentication technology is failing to deliver on its promise, experts say

According to Steve Hanna, a distinguished engineer at Juniper Networks and the de facto spokesman for the network access control (NAC) industry, the device authentication technology is failing to deliver on its promise.

Companies like Juniper, Cisco, and a long list of point providers may have already sold thousands of NAC systems to enterprise customers looking to shore up their network defenses, Hanna said, but that doesn't change the fact that the technology hasn't lived up to its original expectations.

NAC was supposed to become a comprehensive method for both inspecting the health of any device that attempts to log onto a network and for keeping electronic eyes trained on those machines to help manage their access to internal resources and prevent potential attacks after they've been granted admittance, said Hanna.

Instead, Hanna said, having been confused by contradictory marketing messages about a sea of different technologies that have been labeled as some form of NAC, many of which do not work together, most customers have relied on the technology merely to grant network access to guest users and remote workers -- it's most basic form of functionality.

If NAC is to survive and flourish as a widely used technology amid the growing range of security and authentication tools on the market today, he said, it must quickly mature and move beyond such a narrow model of usage.

"Right now NAC systems are still a bunch of silos. You have network access tools, applications layer security tools, intrusion detection systems, and firewalls, but they're just pieces," said Hanna. "The components haven't been adequately put together, and that's what's stopped NAC from moving forward; hopefully it can grow from here into something more, because if NAC can't provide greater benefits in short order, it won't be adopted."

Unsurprisingly, Juniper's latest addition to its own Unified Access Control platform, the firm's flagship NAC product line, boasts new points of integration with firewalls and intrusion detection systems (IDS).

However, as the co-chair of the Trusted Computing Group's Trusted Network Connect work group, a NAC industry standards effort, Hanna has long maintained that in addition to improving their own products, vendors must work to get their tools to work together to advance the whole market.

That remains one of NAC's biggest stumbling points, he said.

Another major issue is that companies including Cisco continue to market less expansive NAC systems that are aimed primarily at helping users address the guest access problem, which he said might be further confusing customers and lowering expectations of the entire technology itself.

Cisco, which for the record defines NAC as "network admission control," has abandoned its initial "framework" approach to the technology, which more closely resembled Hanna's broad vision for the tools, in favor of selling appliances and software to help businesses give access to network visitors, he said.

By lowering expectations and limiting the understanding of NAC, he said, such efforts may be hurting its potential in the long run. As a result, Hanna is calling for the network security industry to move to "NAC 2.0."

"NAC needs to be unified into a single security architecture; that's what NAC 2.0 can do, it can tell you not just who is on the network, but what are they doing there. That's the real potential," he said. "How we as an industry can tie the pieces together to work as a whole, and then tie them back to specific business objectives around cost and managements issues, will largely help determine the future of NAC in general."

Some other NAC vendors agree, and hurl far stronger words at market giant Cisco, which is often credited as the founder of the security niche but is now seen by some as its biggest barrier.

When Cisco launched its OneNAC strategy earlier this year -- essentially telling customers to buy its simpler network admission NAC appliances today and to worry about broader uses of the technology tomorrow -- some smaller vendors claimed the firm was attempting to cover up its own product shortcomings by intentionally disbursing interest in other types of applications.

Cisco has no plans to embrace NAC 2.0 as described by Hanna, said Dominic Wilde, vice president of marketing for Nevis Networks, a maker of network admission and policy enforcement appliances.

And while the market is ready to move forward as Hanna envisions, the networking giant is purposefully trying to confuse customers, Wilde said.

"What Cisco did with OneNAC was try to stall the market because they knew that their framework wasn't ready for customers, and they realized that they helped create a market that their products cannot presently serve," Wilde said. "The bigger idea was for NAC to include threat prevention and access management on an applications level; unlike a lot of other vendors, Cisco can't deliver on that vision of NAC today, so they're trying to keep people focused on their narrow definition."

Another extremely influential player in the evolution of NAC is Microsoft, which has built its own flavor of the technology, Network Access Protection (NAP), into its next generation server OS, code-named Longhorn, due out in early 2008.

While Microsoft hasn't even yet delivered its version of NAC, Wilde said that the time differential is forgivable, as the notion of having the technology aligned with one of the OS giant's most popular product's is enthralling to nearly everyone.

Like Intel's work to build TCG's pre-connect footprint into its vPro and Centrino chips -- which could allow devices to be authenticated even before they boot up their OS -- the benefits of having NAP built into Longhorn are worth waiting for, he said.

Meanwhile, Cisco executives don't seem to be in any hurry to manipulate their plans to suit the outcry of rival vendors like Juniper and Nevis, one of a vast number of smaller independent NAC tools providers.

Earlier this month, the networking behemoth announced the availability of its Network Admission Control (NAC) Guest Server package, which is aimed specifically at helping companies manage network admission for visitors.

Building guest access is considered the starting point for embracing NAC within most companies, and it remains the use case where Cisco continues to see most of its demand, said company representatives.

Other vendors may be hungry to push customers into other uses for the technology, but that effort may be grounded more in self interest than actual market dynamics, Cisco NAC product managers said.

"We found out from most customers that guest access is still the most common test bed for NAC, they're not trying to set up complex policies with these systems yet, they want to restrict Internet access and test rules to see how it works," said Cisco NAC marketing manager Irene Sandler. "From there they can broaden the use cases, but that's not what they're working on yet."

When it comes to Cisco's NAC detractors, Sandler said that users shouldn't "confuse vision with deploy-ability," pointing out that few of the other vendor products she has seen can live up to the guest access piece of the equation, let a lone the rest of the larger concept espoused by Hanna and others.

Many of those companies have only a handful of customers and are trying to make a name for themselves, while Cisco already has well over 2500 users of its NAC appliances, she noted.

Part of the issue, she said, is that so many companies have created different definitions of NAC to fit their products into the space that everyone seems to have adopted their own meaning of the term.

The difference between Cisco's network admission control and the more generic term of network access control may have grown over the last few years, but not as dramatically as some might argue, Sandler defended.

"People can try to expand the definition of NAC if they have a product that fits within that definition," she said. "Some companies are actually selling intrusion protection; it has become in some cases not a question of Cisco having a certain capacity, but whether or not we define NAC as the same thing as some other vendors."

Alan Shimel, the chief strategy officer at NAC software vendor StillSecure -- who also authors a well-read industry blog, admits that part of the problem with people's understanding of where exactly the market stands in terms of its evolution is derived from contrary marketing.

As with any hot IT sector, a number of players who had previously labeled their products otherwise adopted the NAC banner as the niche began to draw interest several years ago, said the expert.

Hanna, he said, is merely trying to drive the NAC sector into the more comprehensive future many hope for, while people like Nevis' Wild are merely trying to align themselves with potential demand.

For customers to embrace the broader vision of NAC will take time, and the many "Johnny Come Lately's" putting pressure on the market aren't helping to foster realistic expectations, Shimel said.

"I'm not saying that these other types of behavior analysis and post-admission technologies aren't important to extending NAC, they are, but let's not lose sight of the fact that the initial NAC functionality was envisioned around access," Shimel said.

"Things have become terribly confusing for end users; any time you have an over-hyped niche like NAC you get a lot of people with business models that have failed jumping on the bandwagon," he said. "This corrupts the message as people try to make it their own, and there's probably no bigger poster child for that sort of problem right now than NAC."

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies